From f8eee37e5136ee9de59ad69c1a5b9768ff332a43 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Sat, 10 May 2025 20:17:40 +0200 Subject: [PATCH] dns fuckery --- flake.lock | 33 +++++++++++++++++---- flake.nix | 5 ++++ hosts/falkenstein/modules/caddy/default.nix | 2 +- hosts/falkenstein/modules/dns/default.nix | 23 +++++++++++--- hosts/fujitsu/modules/jellyfin/default.nix | 4 +-- hosts/nuc/modules/adguard/default.nix | 2 +- hosts/nuc/modules/atuin/default.nix | 2 +- hosts/nuc/modules/indexing/prowlarr.nix | 2 +- hosts/nuc/modules/indexing/radarr.nix | 2 +- hosts/nuc/modules/indexing/sonarr.nix | 2 +- hosts/nuc/modules/torrent/default.nix | 2 +- shared/caddy/default.nix | 3 +- 12 files changed, 62 insertions(+), 20 deletions(-) diff --git a/flake.lock b/flake.lock index be1cd3c..16cdc90 100644 --- a/flake.lock +++ b/flake.lock @@ -39,11 +39,11 @@ "uv2nix": "uv2nix" }, "locked": { - "lastModified": 1746770624, - "narHash": "sha256-40c1p1EiveXd8P4MsG21+M4x/0QOCGQJP0ISyx9L1QE=", + "lastModified": 1746874492, + "narHash": "sha256-Gm2Eb5KBxAL6y9WJj7phRMXNAZzVkKlm9Dky9WDZHtQ=", "owner": "nix-community", "repo": "authentik-nix", - "rev": "0b5a36483867e2473a40610d0dcb7cb06260a6cf", + "rev": "2ef24fac993808a1a57f367ef58ac0f5254c3489", "type": "github" }, "original": { @@ -85,6 +85,26 @@ "type": "github" } }, + "caddy-patched": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746901403, + "narHash": "sha256-2tkRHeNEkaE1x0ayfi30+nrIQv4Nio/NeT8U3i3qeQA=", + "owner": "rouven0", + "repo": "nixos-caddy-patched", + "rev": "ad2df7623e62ee4595c8f523b30cf6914a2cb6bd", + "type": "github" + }, + "original": { + "owner": "rouven0", + "repo": "nixos-caddy-patched", + "type": "github" + } + }, "crane": { "locked": { "lastModified": 1731098351, @@ -279,11 +299,11 @@ ] }, "locked": { - "lastModified": 1746798521, - "narHash": "sha256-axfz/jBEH9XHpS7YSumstV7b2PrPf7L8bhWUtLBv3nA=", + "lastModified": 1746892839, + "narHash": "sha256-0b9us0bIOgA1j/s/6zlxVyP3m97yAh0U+YwKayJ6mmU=", "owner": "nix-community", "repo": "home-manager", - "rev": "e95a7c5b6fa93304cd2fd78cf676c4f6d23c422c", + "rev": "12e67385964d9c9304daa81d0ad5ba3b01fdd35e", "type": "github" }, "original": { @@ -616,6 +636,7 @@ "inputs": { "agenix": "agenix", "authentik": "authentik", + "caddy-patched": "caddy-patched", "dns": "dns", "home-manager": "home-manager", "impermanence": "impermanence", diff --git a/flake.nix b/flake.nix index ea13a0e..61d6a1b 100644 --- a/flake.nix +++ b/flake.nix @@ -47,6 +47,10 @@ url = "github:nix-community/lanzaboote/v0.4.2"; inputs.nixpkgs.follows = "nixpkgs"; }; + caddy-patched = { + url = "github:rouven0/nixos-caddy-patched"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -62,6 +66,7 @@ , purge , trucksimulatorbot , pfersel + , caddy-patched , ... }@attrs: { packages.x86_64-linux = { diff --git a/hosts/falkenstein/modules/caddy/default.nix b/hosts/falkenstein/modules/caddy/default.nix index b5126b1..2099cad 100644 --- a/hosts/falkenstein/modules/caddy/default.nix +++ b/hosts/falkenstein/modules/caddy/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, caddy-patched, ... }: let # matrix homeserver discovery matrix_domain = "matrix.${config.networking.domain}"; diff --git a/hosts/falkenstein/modules/dns/default.nix b/hosts/falkenstein/modules/dns/default.nix index c9e79b1..80db608 100644 --- a/hosts/falkenstein/modules/dns/default.nix +++ b/hosts/falkenstein/modules/dns/default.nix @@ -11,7 +11,8 @@ let { nameServer = "ns.rfive.de."; adminEmail = "hostmaster@rfive.de"; - serial = lib.strings.toInt (builtins.substring 0 8 self.sourceInfo.lastModifiedDate + toString ((modulo self.sourceInfo.lastModified 86400) / 864)); + # serial = lib.strings.toInt (builtins.substring 0 8 self.sourceInfo.lastModifiedDate + toString ((modulo self.sourceInfo.lastModified 86400) / 864)); + serial = 2025051079; refresh = 10800; retry = 3600; expire = 604800; @@ -36,9 +37,14 @@ let subdomains = let + # fetches all VgetVirtualHosts from the caddy config getVirtualHosts = hostname: map (name: builtins.substring 0 (builtins.stringLength name - (builtins.stringLength domain + 1)) name) (builtins.attrNames self.nixosConfigurations."${hostname}".config.services.caddy.virtualHosts); + # generate CNAMES from caddy service to host genCNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (_label: { CNAME = [ "${hostname}.${domain}." ]; }); + # generate ACME challenge recorsd for every VirtualHost genACMECNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (_label: { subdomains._acme-challenge.CNAME = [ "challenge.acme.${domain}." ]; }); + # fuckery to merge the generated attribute lists + mergeRecords = recordList: lib.attrsets.mapAttrs (_host: records: lib.attrsets.mergeAttrsList records) (lib.attrsets.zipAttrs recordList); in lib.attrsets.mergeAttrsList [ rec { @@ -58,9 +64,15 @@ let _domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ]; "*".subdomains."_acme-challenge".CNAME = [ "challenge.acme.rfive.de" ]; } - (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) - (builtins.removeAttrs (genACMECNAMEs "nuc") ([ ":2018" ])) - (builtins.removeAttrs (genCNAMEs "falkenstein") [ "mail" ":2018" ]) + (mergeRecords [ + (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) + (builtins.removeAttrs (genACMECNAMEs "nuc") ([ ":2018" ])) + ]) + (mergeRecords [ + (builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" ])) + (builtins.removeAttrs (genACMECNAMEs "falkenstein") ([ ":2018" "mail" ])) + ]) + (builtins.removeAttrs (genACMECNAMEs "fujitsu") ([ ":2018" ])) ]; }); in @@ -89,6 +101,9 @@ in dnssec-policy split-keys; inline-signing yes; serial-update-method date; + update-policy { + grant caddy. name challenge.acme.rfive.de. txt; + }; ''; file = "${directory}/rfive.de.zone.txt"; }; diff --git a/hosts/fujitsu/modules/jellyfin/default.nix b/hosts/fujitsu/modules/jellyfin/default.nix index fdb5880..12f003e 100644 --- a/hosts/fujitsu/modules/jellyfin/default.nix +++ b/hosts/fujitsu/modules/jellyfin/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ ... }: let domain = "media.vpn.rfive.de"; in @@ -6,7 +6,7 @@ in services.jellyfin = { enable = true; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:8096 ''; } diff --git a/hosts/nuc/modules/adguard/default.nix b/hosts/nuc/modules/adguard/default.nix index 86ef790..193e99d 100644 --- a/hosts/nuc/modules/adguard/default.nix +++ b/hosts/nuc/modules/adguard/default.nix @@ -13,7 +13,7 @@ in http.address = "127.0.0.1:${toString port}"; }; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:${toString port} ''; } diff --git a/hosts/nuc/modules/atuin/default.nix b/hosts/nuc/modules/atuin/default.nix index 96442cf..4e48bf9 100644 --- a/hosts/nuc/modules/atuin/default.nix +++ b/hosts/nuc/modules/atuin/default.nix @@ -6,7 +6,7 @@ in services.atuin = { enable = true; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.atuin.port} ''; } diff --git a/hosts/nuc/modules/indexing/prowlarr.nix b/hosts/nuc/modules/indexing/prowlarr.nix index 5a2910b..4c66610 100644 --- a/hosts/nuc/modules/indexing/prowlarr.nix +++ b/hosts/nuc/modules/indexing/prowlarr.nix @@ -6,7 +6,7 @@ in services.prowlarr = { enable = true; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port} ''; } diff --git a/hosts/nuc/modules/indexing/radarr.nix b/hosts/nuc/modules/indexing/radarr.nix index 1eda08e..f334ce4 100644 --- a/hosts/nuc/modules/indexing/radarr.nix +++ b/hosts/nuc/modules/indexing/radarr.nix @@ -6,7 +6,7 @@ in services.radarr = { enable = true; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port} ''; } diff --git a/hosts/nuc/modules/indexing/sonarr.nix b/hosts/nuc/modules/indexing/sonarr.nix index 2596e14..ebc3e5d 100644 --- a/hosts/nuc/modules/indexing/sonarr.nix +++ b/hosts/nuc/modules/indexing/sonarr.nix @@ -6,7 +6,7 @@ in services.sonarr = { enable = true; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.sonarr.settings.server.port} ''; } diff --git a/hosts/nuc/modules/torrent/default.nix b/hosts/nuc/modules/torrent/default.nix index dd9e081..38db1f9 100644 --- a/hosts/nuc/modules/torrent/default.nix +++ b/hosts/nuc/modules/torrent/default.nix @@ -125,7 +125,7 @@ in SystemCallFilter = "@system-service"; }; }; - services.caddy.virtualHosts."http://${domain}".extraConfig = '' + services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy 127.0.0.1:${toString cfg.port} ''; systemd.tmpfiles.rules = [ diff --git a/shared/caddy/default.nix b/shared/caddy/default.nix index ef52dd7..bf4aa0d 100644 --- a/shared/caddy/default.nix +++ b/shared/caddy/default.nix @@ -1,7 +1,8 @@ -{ config, ... }: +{ config, caddy-patched, ... }: { services.caddy = { enable = true; + # package = caddy-patched.packages.x86_64-linux.default; email = "ca@${config.networking.domain}"; logFormat = "format console"; globalConfig = ''